locked
ADFS - SPN and replace certificate RRS feed

  • Question

  • Durring the AD FS configuration wizard on server 2016 we have received a warning:

    How to fix this?

    server name: adfs.domain.local
    service account: DOMAIN\adfsACC or ADFS@domain.local

    And we need to change the certificate on this (1st) ADFS server. How to achieve that the easiest way with powershell commands?

    Thanks, with best regards


    bostjanc

    Monday, October 24, 2016 11:40 AM

Answers

    1. You can locate the duplicate SPN in the environment by running the command "setspn -x" and remove the SPN from the AD account to which it should not be associated and manually place the SPN on AD account to which it should associated.  According to your description, the SPN should only be associated with the AD account "DOMAIN\adfsACC".  As info, SPNs must be unique within the AD database otherwise Kerberos authentication will fail or only work intermittently regarding all SSO operations regarding the SPN of that account.
    2. Regarding the SSL certificate replacement, I've never done it myself, but I've found this article for you:            

    AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Liinus Monday, October 24, 2016 12:47 PM
    • Unproposed as answer by B_C_R Monday, October 24, 2016 12:49 PM
    • Marked as answer by B_C_R Monday, October 24, 2016 1:43 PM
    Monday, October 24, 2016 12:16 PM
  • Thanks for your reply.
    For changing SSL I have solved by following instructions on site (http://www.blackmanticore.com/332874ac9a2f5e7bc6c05d6aef42fd3f )

    For SPN I will need to take a closer look


    bostjanc

    • Marked as answer by B_C_R Monday, October 24, 2016 1:43 PM
    Monday, October 24, 2016 12:22 PM

All replies

    1. You can locate the duplicate SPN in the environment by running the command "setspn -x" and remove the SPN from the AD account to which it should not be associated and manually place the SPN on AD account to which it should associated.  According to your description, the SPN should only be associated with the AD account "DOMAIN\adfsACC".  As info, SPNs must be unique within the AD database otherwise Kerberos authentication will fail or only work intermittently regarding all SSO operations regarding the SPN of that account.
    2. Regarding the SSL certificate replacement, I've never done it myself, but I've found this article for you:            

    AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates


    Best Regards, Todd Heron | Active Directory Consultant

    • Proposed as answer by Liinus Monday, October 24, 2016 12:47 PM
    • Unproposed as answer by B_C_R Monday, October 24, 2016 12:49 PM
    • Marked as answer by B_C_R Monday, October 24, 2016 1:43 PM
    Monday, October 24, 2016 12:16 PM
  • Thanks for your reply.
    For changing SSL I have solved by following instructions on site (http://www.blackmanticore.com/332874ac9a2f5e7bc6c05d6aef42fd3f )

    For SPN I will need to take a closer look


    bostjanc

    • Marked as answer by B_C_R Monday, October 24, 2016 1:43 PM
    Monday, October 24, 2016 12:22 PM
  • Setspn -x returns no duplicates

    Can you please "teach me" how to set up SPN to work with adfs@domain.local account
    Maybe it got confused because I used server name adfs.domain.local
    I will create a new service account and name it adfs-service@domain.local and google the option how to change service account. Probably spn setting manually is still sth that i can't avoid after changing name of service account right?


    bostjanc

    Monday, October 24, 2016 1:02 PM
  • Ok removing AD FS role, restarting the server, re-adding the role, gone with the procedure again and changed the service account (we had to owerwrite the previous windows internal database) and that did the trick.

    bostjanc

    Monday, October 24, 2016 1:43 PM